AWS Identity and Access Management Policy Simulator

AWS Identity and Access Management (IAM for short) lets you control access to AWS services and resources using access control policies. IAM includes a large collection of prebuilt policies, and you can also create your own.

IAM policies are comprised of policy statements. Each statement either allows or denies access to some AWS services (at the level of individual API functions) or resources. Policies can be attached to users, groups, or roles.

The following sample policy allows access to all EC2 APIs and resources:

New Policy SimulatorThe policy language is rich and expressive and we want to make it even easier for you to use. Until now you had to apply policies in production in order to make sure that they behave as expected.

Today we are introducing the IAM Policy Simulator tool. Using this tool you can now test the effects of your IAM policies before you commit them to production. You simply choose the policy that you want to evaluate, select from a list of AWS options, and click the Run Simulation button.

Let’s say that you are the AWS account owner and you want to make sure that I (represented by IAM user jeff) have access to all of the EC2 APIs. You select my name, the service, and the functions that I need to be able to access (you can also use the Select All button):

The policy will be evaluated when you push the Run Simulation button and the simulator will display the results. It looks like I don’t have access to the EC2 APIs (this is because IAM users have no permissions unless they are explicitly granted):

I need to have access, so you visit the IAM tab of the AWS Management Console and attach the Amazon EC2 Full Access Policy to user jeff:

Then you return to the simulator and run the simulation again. This time I have access:

This is just a taste of what you can do with the IAM Policy Simulator. You can choose to exclude policies from the simulation so that you can see what happens if it is removed. You can simulate access to specific resources, and you can create and test newly generated policies within the simulator.